Meltdown and Spectre processor vulnerabilities: what we’re doing to address it

8 January 2018

Last week researchers in Austria announced they’d discovered two very serious security flaws in computer processors, named Meltdown and Spectre. Between them, the two flaws affect most desktop computers, servers, laptops, tablets and phones.

They can allow attackers to access any information on your computer or device. And it’s almost certain that the device on which you’re reading this is or was vulnerable to one or both of the flaws. One of the flaws, “Spectre”, is relatively easy to execute via your web browser.

The flaws are firmware-based (software that runs inside your processor below the operating system) and this makes the patching process more complex, requiring close cooperation between software vendors and hardware manufacturers.

The flaws are likely to exist across your business, including servers, desktops and mobile devices.

What CommArc is doing to address Meltdown and Spectre

CommArc has developed an quick reaction strategy (QRS) to deal with these very serious security issues. This strategy includes:

Governance – at senior management

Ongoing communication between ourselves, our suppliers and you

Account engagement – to ensure you know what we are doing

Internal testing

Prioritisation – highest risk first

Documentation – what has been applied and who is at risk

If you are a CommArc Cloud customer

The CommArc Cloud Team is in the process of patching our cloud infrastructure. At this stage we do not expect any significant outages to our core cloud infrastructure, although some peripheral cloud services may require a short outage. The CommArc Cloud Team will keep all Cloud customers informed of this.

Depending on the Cloud service you are operating, some customers will require patches to be applied to your platform operating system (e.g. Windows Server and Linux). This will be dealt with by the Consulting Team (see next section).

If you are not on CommArc Cloud

Our Consulting and Account Management teams are currently working with all of our customers to ascertain priority and next steps. We are developing strategies to suit each customer on an individual basis. We expect that there will be downtime (reboot) associated with most patches.

Meltdown and Spectre’s effect on your other devices

All other devices around your workplace and home will also be affected by Spectre / Meltdown. If your device is an Apple / Android mobile device then patches will be automatically issued by your manufacturer in due course. If your work / home device is a Windows workstation then it will also need to be patched in accordance with Microsoft security update process.

Application-specific risks from Meltdown and Spectre

At this stage we are aware that SQL is also affected and there are patches that need to be applied. Microsoft have only released patches for SQL 2016 and 2017 at this stage, but we do expect earlier versions to also require patching.

At this stage we are unaware of any further application-specific issues (e.g. Exchange Server), but that is not to say these will not occur.

Are there any fees associated with this?

In most cases, unfortunately yes. These issues are not of our making, and whilst we are doing our best to test and streamline, there will be costs associated with applying the patches. Our Cloud platform is currently being patched, and this is at no cost to cloud customers.

Our Consulting and Account Management teams will be sending out approval requests to develop a remediation strategy, including patching your server, workstations and database environments in accordance with manufacturer’s instructions. At this stage we can only estimate the time (provide a guideline) required to do this based on our initial testing. As a result, we expect most engagements will be on a time and materials basis.

Applying your own patches

Of course you can apply your own patches to your workstations and home computers. You will need to carefully follow the manufacturer’s instructions to do so. CommArc strongly recommend against patching your own platforms unless you are very familiar with these environments. The patches are a combination of firmware and software, and as such they are specific to certain machine types and operating systems.

We would recommend that you keep a record of everything you do, so if there is a problem we will be in a better position to help you.

Anti-virus systems

We are of the view that most anti-virus and deep security systems are not effective / trusted barriers (at this time) for specific exploits related to Spectre / Meltdown.

Don’t panic

At this stage we are not aware of any specific wide ranging commercial threats that have been developed to take advantage of Spectre / Meltdown. However, there are some tools appearing on the Dark Web that are purporting to take advantage of these issues. As a result, we do expect to see some specific exploits appearing soon.

Performance impacts

There has been discussion online in relation to the performance impact of the patches that are being made to processor firmware. At this stage there is no immediate real world indication of performance impact. However, the exploit in question takes advantage of a CPU performance feature, and as such it is possible that future performance may be affected.

Timelines

This is an evolving situation that is largely dictated by the primary hardware and software vendors. Most of the patches currently in circulation are preliminary and we do expect additional patches to be released as the situation evolves.

Managing your commercial risk from Meltdown and Spectre

It is important that you engage with the CommArc team as soon as practical to begin the process of risk assessment and mitigation. We can help you decide what equipment should be patched and when best to do this (as best suits your business).

Most importantly, please be aware that this is a potentially serious design vulnerability and we would like all CommArc customers to have, at a minimum level, a clear awareness of this risk.

Please do not hesitate to make contact if you have any questions. The entire team at CommArc is fully briefed and aware of the technical situation and our associated strategy.